Lots of ransomware with couple vulnerabilities

This week there was a lot of news related to ransomware, including the closure of Binance cryptocurrency exchanges in many countries due to money laundering. Not all vendors can fix vulnerabilities the first time, which is one way zero-day vulnerabilities appear.

  • Vulnerabilities: Pling application store, tons of vulnerabilities from Nvidia and unpatched SonicWall;
  • Tools: SSH bruteforcer + password attacks and camera’s “penetration” tools;
  • News: Ransomware section;
  • Research: Detection and response articles.

Feedback and Vulners docs


Vulnerabilities

Pling RCE vulnerability

Security researchers reported an unpatched critical vulnerability in the FOSS (Free and Open-Source Software) Pling application stores for Linux. The vulnerability allows attackers to remotely execute code and can potentially be used for attacks on the supply chain.

PlingStore allows users to find and install Linux software, themes, icons and extensions that cannot be downloaded from the distribution’s software center.

NVIDIA critical update

NVIDIA has released a security update addressing a total of 26 vulnerabilities in the Jetson System-on-Module (SOM) series. Their exploitation allows you to increase privileges on the system and cause a “denial of service” state. Vulnerabilities (CVE-2021-34372 to CVE-2021-34397) affect Jetson TX1, TX2, TX2 NX, AGX Xavier, Xavier NX series products, and Nano and Nano 2GB running all Jetson Linux versions up to 32.5.1.

Unpatched CVE-2021-20019

SonicWall VPN patched CVE-2020-5135 with a severity rating of 9.4, which allowed an unauthenticated user to trigger a DoS and perform remote code execution (RCE). At the time of its fix, there were almost 800 thousand vulnerable hosts on the network. The fix was released in October 2020 and we wrote about it in our digests.

Tripwire researcher Craig Young found that the patch was incorrect. As a result, the patched Sonic Wall began to issue a partial memory dump in response to a malicious HTTP request instead of DoS.


Tools

Shreder is a powerful multi-threaded SSH protocol password brute-force tool.

Key features:

  • Fast password guessing, just one password in 0.1 second;
  • Optimized for big password lists, Shreder tries 1000 passwords in 1 minute and 40 seconds;
  • Simple CLI and API usage.

RomBuster is a router exploitation tool that allows to disclosure network router admin password.

Key features:

  • Exploits vulnerabilities in most popular routers such as D-Link, Zyxel, TP-Link and Huawei;
  • Optimized to exploit multiple routers at one time from list with threading enabled;
  • Simple CLI and API usage.

CamOver is a camera exploitation tool that allows to disclosure network camera admin password.

Key keatures:

  • Exploits vulnerabilities in most popular camera models such as CCTV, GoAhead and Netwave;
  • Optimized to exploit multiple cameras at one time from list with threading enabled;
  • Simple CLI and API usage.

CamRaptor is a tool that exploits several vulnerabilities in popular DVR cameras to obtain network camera credentials.

Key features:

  • Exploits vulnerabilities in most popular camera models such as Novo, CeNova and QSee;
  • Optimized to exploit multiple cameras at one time from list with threading enabled;
  • Simple CLI and API usage.

News

Kimsuky APT

South Korean nuclear power research organization has acknowledged that it was hit by an attack allegedly carried out by the North Korean group Kimsuky. It is reported that attackers operating from thirteen unauthorized IP addresses gained access to the institute’s internal network. At the same time, one of these IP addresses was previously seen in attacks, which are also attributed to APT Kimsuky. The research organization said in a statement that the attackers managed to penetrate the organization’s network through a VPN vulnerability.

Binance money laundering

TheRecord, citing data from the Binance reports that according to an analysis, members of the Cl0p ransomware gang detained in Ukraine last week specialized in laundering the cryptocurrency received as a ransom.

Binance says the attackers have laundered more than $500 million worth of cryptocurrencies in total, which were ransomware ransomware Cl0p and Petya. The last ransomware is actually a very old strain and, as far as we remember, the sums it extorted could not be compared with the current ransom rates.

Lumen’s Black Lotus Labs has published a study of a new malware for remote access – ReverseRat. According to experts, the main goal of HPE is government and energy organizations in the regions of South and Central Asia.

Trend Micro warned of a new ransomware DarkRadiation

The malware is designed to attack Red Hat/CentOS, Debian Linux distributions. The attackers use the Telegram messenger to communicate with the C&C server.

The malware uses AES (Advanced Encryption Standard) symmetric block encryption algorithm with CBC mode to encrypt files in different directories. It is currently unknown about the malware’s distribution methods and there is no evidence that the ransomware was used in actual attacks.


Research

D3FEND – A knowledge graph of cybersecurity countermeasures https://d3fend.mitre.org

AD CS relay attack – practical guide: https://www.exandroid.dev/2021/06/23/ad-cs-relay-attack-practical-guide

Threat Detections for Container Lateral Movements and Container Escapes: https://medium.com/confluera-engineering/threat-detections-for-container-lateral-movements-and-container-escapes-this-is-how-dc595c6b53cc

Hunting Down MS Exchange Attacks. Part 2 (CVE-2020-0688, CVE-2020-16875, CVE-2021-24085): https://cyberpolygon.com/materials/okhota-na-ataki-ms-exchange-chast-2-cve-2020-0688-cve-2020-16875-cve-2021-24085

Azure Persistence with Desired State Configurations: https://www.netspi.com/blog/technical/cloud-penetration-testing/azure-persistence-with-desired-state-configurations

https://cyberxplore.medium.com/how-we-are-able-to-hack-any-company-by-sending-message-including-facebook-google-microsoft-b7773626e447


Feedback and Vulners docs

Leave a Reply